Replies: 1 comment 4 replies
-
|
Not sure what you would like to have. If there is a way to generate such a list, then this would be interesting. I am however not willing to spend manual effort for this. |
Beta Was this translation helpful? Give feedback.
-
|
I understand. As a temporary solution, would it be possible to provide a screenshot of your current dismissed CodeQL alerts? Simply go to the security tab > Code scanning > closed, and then filter for Closed as [False positive, Used in tests, Won't fix]. If possible, that would be highly appreciated! |
Beta Was this translation helpful? Give feedback.
-
Here you go. It seems some of the issues are not valid any more as they have a "Fixed in branch..." comment on them. As an experiment, I reopened one of those which I closed as "used in tests" and see if it is tagged as "closed" automatically. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks a lot! This is very helpful. |
Beta Was this translation helpful? Give feedback.
-
|
Do be fair: I since added Flawfinder and Semgrep to the CI. The former found some 200 issues. 95% were in test code, and the remaining ones are false positives so far. Once I reviewed all of them, I will update this. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
Any potential security alerts from dependabot and CodeQL that have already been dismissed in this repo as e.g., "False positive", "Used in test" or "Won't do" are reopened in downstream users' forks of nlohmann/json.
As such, would it be possible to share or somehow make the list of dismissed security alerts public, such that downstream users can follow the same steps?
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions